If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Vulnerability: IE buffer overflow in mshtml.dll

mshtml.dll contains buffer overflow while parsing HTML with embedded ActiveX components. Stack overrun occurs during concatenation of two Unicode strings. It's possible to exploit this vulnerability to execute any code of attacker's choice.

This overflow can only be exploited if "Run ActiveX Controls and Plugins" security option is enabled. *This option is disabled by default for Restricted Sites Zone Outlook 2000, Outlook Express 6.0 and prior with security update installed open all mail, but enabled by default in all different cases. This bug doesn't depend on Windows version.

Workaround:

Make sue "Run ActiveX Controls and Plugins" option is disabled for Internet and Restricted Sites zones in security options of Internet Explorer. Check security zone for Outlook Express is set to Restricted Sites.

Why does this not surprise me? MS as usual. I love my Tux box, but I'm forced to use my XP box for 98% of my bosiness dealings due to the overall coverage of MS products in the client base. So why does MS choose to wait until someone finds an open hole instead of just fessing up and addmitting it from the start? All they have to do is say, uh oh, we goofed. Here is how to fix it. Just like all the Linux companies do. (at least Debian and Mandrake, the main two I have used) This just gets so old. They try to play stupid. Like realy thsy did'nt know. Ok, so I'll give them a bennifit of doubt to a certain extent. But sheesh, give me a break. They have a hole, leak, patch, plug, or fix at least once a week or more. You know how many times I have had to upgrade or patch any of my Linux distro's? Four times in two years and the security is fine. Enough of this rant.

Thanks for the info. Will the MS insanity ever stop? I like the software just fine. I just want them to be honest with the developers and users, from the get go.